The third annual GRC Technology Innovation Awards recognize technologies that are revolutionizing the Governance, Risk Management and Compliance (GRC) market. Fifteen technologies were selected out of 62 applicants after being carefully evaluated for their innovation.
Over the years GRC technology has evolved and changed. The GRC Technology Innovation Awards process for 2014 recognizes this evolution and represented the most competitive pool of applicants to date. GRC 20/20 closely evaluated all of the written nominations and selected 15 recipients to receive this honor. Some of these recognitions go to established solution providers — others go to up-and-comers. Some have mature offerings, others are still being polished — but all are advancing GRC into new areas. The current award recipients show thought leadership that take GRC in new directions.
These awards are challenging as there is a strong subjective element to them. There are many great technologies nominated that GRC 20/20 desires to recognize but did not quite make the award process. Unlike GRC 20/20’s Value Awards which are focused on quantitative value organizations have received from solutions, the innovation awards are based on what really captivates and intrigues GRC 20/20 analyst attention as new possibilities and directions in GRC technology. These awards are not for who has a better solution. They are for who is thinking outside the box and taking GRC in new technology directions.
There are some specific themes to be award of in the 2014 GRC Technology Innovation Award recipients. These track into trends GRC 20/20 is seeing in the broad GRC market. Some themes to look for when reviewing the recipients are (note, these themes do not apply to every recipient but do show some trends that influence selection in 2014):
- GRC Engagement. GRC solutions do not have to be ugly. Organizations are frustrated with interfaces that lack intuitiveness and ease of use; that fail to engage employees at all levels of the organization. Many of the leading GRC solutions in the market look and operate with interfaces that are a decade old – several of the award recipients show that GRC can be engaging and use current trends in interface design and intuitiveness.
- Regulatory Change Management. Several award recipients were selected for their innovations in managing regulatory change which has become one of the significant issues bearing down upon organizations. GRC 20/20 has seen the number of regulatory changes more than double in the past five years in some industries and organizations are strained to a breaking point in trying to manage regulatory change and need new approaches to deliver efficiency, effectiveness, and agility.
- GRC Analytics & Reporting. Some of the recipients were selected for new directions in data analytics and reporting. The intuitiveness and eas of use alongside visualization capabilities were critical here. The ability to pull in a variety of data sets from both internal and external sources and show relationships and provide meaningful information and analysis is critical.
- GRC Cloud. Many of the recipients offer cloud (SaaS) based solutions. GRC 20/20 continues to see the adoption of GRC solutions in the cloud as a predominant trend in the GRC market. Despite security naysayers, some of the most significant and sensitive business information is being managed and stored in the cloud. Some of the greatest innovations in GRC come from cloud-based solutions.
It has been stated that (attribution goes to either Einstein or Schumacher):
Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to move in the opposite direction.
A primary innovation of GRC is to provide GRC solutions that are simple yet gets the job done. Like Apple with its innovative technologies, organizations must approach GRC engagement in a way that re-architects the way it works as well as the way it interacts. The GRC innovation goal is simple; it is itself Simplicity. Simplicity is often equated with minimalism. Yet true simplicity is more than just absence of clutter or removal of embellishment. It’s about offering up the right GRC information, in the right place, when the individual needs it. It’s about bringing interaction and engagement to GRC process and data. GRC interactions should be intuitive.
The 2014 GRC Technology Innovation Award recipients are (please follow hyperlinks to see more detail on each recipient):
- 360factors Empowers Organizations to Stay Current in the Midst of Change. 360factors’ innovation is in change management with an elegant and intuitive user interface for mapping GRC. This mapping solution seamlessly maps policies & procedures, permits and their requirements, controls, risks, legislation, regulations, and more. While there are many GRC solutions that allow tagging and mapping of content the innovation by 360factors is the elegance and intuitiveness in their interface. They simplify a process that in other solutions requires going through multiple screens and drop-down menus. This is core to GRC that requires an information architecture that maps risks, policies, controls, assessments, training, and more to the underlying requirements that drive them.
- ACL Integrates Automated GRC Monitoring with Proactive Surveys & Questionnaires. ACL delivers an innovation that combines the concepts of management assurance and audit assurance to structurally shift what is considered “data” in the context of measuring risk and control activities in assurance activities. They have created an intuitive and elegant approach to combine data analytics with surveys and questionnaires to provide stronger assurance and automation. At a tactical level, this innovation revolutionizes the way a GRC professional is able to address problems around control monitoring, compliance violations, and policy violation. At a strategic level, this innovation structurally shifts and aligns “human data” with “systems data”, effectively allowing the GRC analyst to treat populations of people as a data source. The overall solution is not just functional on a new level but brilliant in its intuitiveness and ease of use.
- ACL Goes Mobile with the Most Complete and Intuitive Mobile Interface for GRC. ACL has brought end-to-end audit management functionality to Apple mobile devices in the form of a native mobile app, used in conjunction with their cloud-based GRC and audit management platform. The ability to leverage a native app (not mobile web or low-fidelity “hybrid” type applications) enables ACL to make full use of the hardware capabilities of Apple mobile devices. There are many GRC mobile solutions on the market – but they offer limited functionality and do not always take full advantage of the native mobile environment. The key innovation is that the app leverages the native iOS SDK to provide the most superior mobile GRC user experience that GRC 20/20 has encountered with deep integration with the device’s hardware capabilities including camera, microphone, GPS, touch gestures, hardware rotation, etc.
- Be Informed Empowers Organizations to be Agile in the Midst of Regulatory Change. The Be Informed GRC-solution uses innovative semantic technology to deliver a shared vocabulary of business concepts describing the terminology of products, services, processes, activities, business knowledge and policies. The Be Informed semantic technology enables the dynamic management of regulations and changes in the GRC environment. This allows organizations to stay current with the ever-continuing stream of new and changing regulations. In the GRC-space this means being able to handle complexity and change (e.g., regulatory change, business change, risk change), to provide a holistic integrated view of change, to enable transparency, and have complete insight and overview of accountability domains – on both content and process.
- Convercent delivers agile compliance reporting. Convercent is a cloud-based solution that delivers integrated reporting across key compliance functions, including policy management, learning management, hotline, and investigations, to enable more effective compliance risk monitoring, management and mitigation. This is done through an elegant and intuitive user interface that delivers depth while minimizing technical acumen needed. With Convercent, it becomes easy to rapidly report on the effectiveness of compliance efforts; drill down to track, monitor and remediate developing compliance risks. Convercent delivers layers of reporting and analytics, with the ability to use Microsoft Office tools to create a “two-click board report,” updatable in real time.
- Corl Mitigates 3rd Party Risk Through Ongoing and Proactive 3rd Party Intelligence. Third-party breaches and regulations are increasing drastically, but effective third-party security risk management is expensive, time consuming, and resource intensive. As a result, many organizations have programs that do not provide full coverage, or provide a false sense of security. Corl’s vendorsecurityRM provides organizations with the information they need to effectively focus their vendor due diligence efforts on those vendors who present the most risk. Data breaches can be costly due to the cost of remediation, regulatory fines, and reputation damage. Corl’s risk-based approach helps organizations focus their vendor security risk management efforts where they will have maximum impact and value.
- Digital Reasoning provides intelligence on communications, relationships and risks. Financial institutions are seeking a more complete picture of the people and organizations that pose risks or promise opportunities. Digital Reasoning’s Synthesys 3.8 provides real-time situational awareness for decision makers as it can rapidly examine human communication and uncover relationships and risks that may have been intentionally concealed. Synthesys is a machine-learning platform, which understands human communication (emails, social media, chat, documents, etc.) on a massive scale and identifies and visualizes complex relationships and risk. Specifically, it identifies and aggregates knowledge about people and organizations to make relevant predictions about future behavior of employees, customers or bad actors.
- ERP Maestro Delivers Automated Security & Access Controls Through the Cloud. Automated Segregation of Duty and Access Control solutions are known to be exorbitantly expensive and take a considerable amount of consulting resource and time to implement. ERP Maestro’s Access Analyzer™ solution provides Segregation of Duty and Sensitive Access Analytics and reporting over a completely cloud based architecture. With a cloud based delivery mechanism of an Access Controls solution, not a hosted solution technology, customers receive cost benefits of a multi-tenant environment and the exclusivity and security of a dedicated server. The solution is truly innovative as it is contained within a deployment that dynamically grows and shrinks based on its demand (number of organizations using the system).
- Integrc’s RouteONE Delivers Significant Efficiences in GRC Implementation. The cost and time to implement GRC solutions has been a barrier to many organizations, paritcularly those integrated with an ERP environment such as SAP. Integrc is an innovative service provider that enables organization to achieve the rich value of SAP GRC but in a way that is radically different. With Integrc’s innovative RouteONE, many elements of an SAP GRC deployment have been reduced from weeks to minutes. RouteONE is game-changing because it unlocks the potential of integrated SAP GRC, which for many SAP customers was previously out of reach. Now they can dismantle many of their technology, cost and time-related barriers, roll-out SAP GRC far more quickly and cost-effectively than ever before and focus more effort on business change and end-user adoption.
- Lexer Enables Organizations to Monitor and Manage Brand & Reputation in Moments of Crisis. Lexer’s innovation is a solution to integrate and visualize streams of data to manage reputation and continuity risk across social media and other 3rd party content providers. Lexer does this by producing highly accurate geographic insights used as the conduit between the various data sources such as census, socio-economic, transactional, CRM, and customer support.. This unified data set offers businesses a new perspective on reputation and brand risk since it offers a wealth of detail on data previously inaccessible. Lexer now has the ability to create complex personas based on behavioral, social and economic profiles that give businesses a new perspective on the way consumers react, engage and change in brand incidents.
- MetricStream Offers Capability to Actively Deliver GRC Content from Multiple Sources. MetricStream’s GRCIntelligence.com is an innovative cloud-based content portal that enables GRC professionals to access and integrate the latest GRC content from a variety of knowledge providers and information sources through a single online content store – GRCIntelligence.com. GRCIntelligence.com offers a marketplace to source a wide array of content around regulatory updates, risk and control libraries, policy updates, market intelligence and news feeds. The portal is integrated with MetricStream GRC Platform, thus providing subscribers with content updates and notifications directly within the MetricStream GRC application.
- Modulo Enables Intuitive Reporting and Analytics through GRC Intelligence Integration. Modulo’s innovation is in enhanced reporting and analytics with its GRC Intelligence module. GRC Intelligence acts as a portal for integrating real-time information from any data source – including IT security, physical security and incident management tools; vendor surveys; social and mobile analytics and more – in context of GRC management programs through the reporting capabilities of Microsoft Business Intelligence tools. Using SharePoint and PowerPoint 2013, GRC Intelligence facilitates the process of sharing by allowing users to access GRC data directly on interactive PowerPoint slides – ensuring real-time data.
- ngCompliance’s Sherlock Makes Regulatory Change and Policy Management ‘Elementary and Deductive.’ ngCompliance’s innovation is the ability to automate the analysis of regulatory change against the organizations policies and procedures. Sherlock has a rule-mapping module that allows the organization to create a mapping between applicable laws and regulations on one hand, with the organizations policies, processes and procedures on the other hand. Whenever there is a regulatory change, it can be used to quickly identify the impact on business areas, policies and procedures and initiate a change management process to timely realign.
- True Office engages employees through interactive GRC learning experiences. Impacting and driving learning around compliance and risk management is the “last mile” of GRC. After considerable investment is made in managing GRC risks and controls, it is important that an organization’s work force — the front lines of the business, is able to effectively learn the policy and its impact on the company’s business outcomes. True Office is demonstrating innovation in interactive, gamified training solutions applied to compliance & risk management, professional development and customer proficiency. True Office, because of its ability to bring dry policy to life, engage learners and measure their efficacy through rich, comprehensive analytics, is paving the way for a new era of Policy & Training Management.
- UCF Demonstrates it is the Science of Compliance Through its Recent Patent to Map Requirements. The Unified Compliance Framework® is the science of compliance that has recently received a patent for its applied technology for the structure, process for interpretation, quality assurance, and most particularly the segmentation and mapping of regulations. The UCF has been around for several years; the innovation recognized is their recent patent, process, and schema for segmenting and mapping regulations that will take the UCF well beyond the focus of IT compliance they have been successful with in the past. The solution will be delivered to vendors and corporate customers in the way of a RESTful API, XML tables, and interactive applications.
GRC 20/20 wishes we could recognize more – but we had to put a cap somewhere. Fifteen seemed like the appropriate number. There were many great submissions – some more innovative than others.
The 2014 GRC Technology Innovation Awards was filled with competition. Nominations increased to 62 over last year’s awards, and fifteen winners were selected. GRC 20/20 looked through all of the submissions, asked for clarification where needed, and selected 15 recipients that demonstrated outside the box thinking in taking GRC in new directions to receive this year’s award.
ERP Maestro Delivers Automated Controls Through the Cloud
Automated Segregation of Duty and Access Control solutions are known to be exorbitantly expensive and take a considerable amount of consulting resources and time to implement. Requiring large software fees, hardware costs, consultant fees and complex training projects, and being overcome by large organizations; they remain a challenge today for organizations of all sizes, particularly the small to medium sized organizations.
ERP Maestro’s Access Analyzer™ solution provides Segregation of Duty and Sensitive Access Analytics and reporting over a completely cloud based architecture. Their unique utilization overlay reporting graphically identifies risks and remediation paths. With a cloud based delivery mechanism of an Access Controls solution, not a hosted solution technology, customers receive cost benefits of a multi-tenant environment and the exclusivity and security of a dedicated server. The cost savings associated with on demand allocation of servers is passed on to the subscribing customer, allowing small to medium enterprises to afford an enterprise Access Control solution.
The solution is truly innovative as it pools a massive amount of cloud resources to provide on demand server allocation as a dedicated server when needed by the client, while dormant servers are deactivated or recycled to other customers. The solution is contained within a deployment that dynamically grows and shrinks based on its demand (number of organizations using the system).
Interestingly, this can also serve as a bridge for companies implementing SAP GRC10. Large companies want a stopgap solution for the complex implementation process that represents GRC10. Some companies are waiting for budget approvals and/or developing a business case. ERP Maestro’s solution price point allows it to serve as that stopgap solution to address SoD needs until the major SAP GRC solution is implemented.
The model is of particular interest to small and medium sized organization that can now afford the implementation of an enterprise Access Control Solution because of ERP Maestro’s model. The entire process is no longer expensive, complex and drawn out, allowing funds to be focused on remediation efforts. The simplicity of their subscription-based service empowers companies that traditionally would not pursue an Access Controls solution, to now proliferate the capability and manage the risk of Segregation of Duties more effectively.
End users have anywhere, anytime access to a web interface that allows them to connect to their ERP system (SAP is the only ERP currently supported by ERP Maestro). The data is securely analyzed using an on demand, dedicated server located in a server farm, then the results are compiled in to multiple reports for consumption. While cloud technology isn’t new, ERP Maestro’s ability to process analytics on hundreds/thousands of client simultaneously based on it’ analytics engine is indeed new and innovative technology which empowers them to offer a premium service, at a low subscription fee.
To learn more about the GRC 20/20 2014 GRC Innovation Awards and other recipients, please visit this post: GRC 20/20 Announces 2014 GRC Innovation Award Recipients